A worm hid in 3D art files on a major creative marketplace, and most home security products missed it

PREVIEWA worm hid in 3D art files on a major creative marketplace, and most home security products missed it · MD

A Python worm hid inside Autodesk Maya scene files on Fab.com, Epic Games' marketplace for 3D models and textures, and infected users who downloaded what looked like ordinary design assets. The case is now part of the public record behind AV-Comparatives' Real-World Protection Test for February through May 2026, and it is the reason the "trusted platform" assumption no longer holds for home users.

The worm, classified as MEL/Vacphage.A, was written in Python and embedded inside Maya Binary (.mb) files, the project format used by Autodesk Maya, a 3D content creation tool used in film, games, and hobbyist work. When a user opened the file, the script ran through Maya's embedded scripting layer, a feature designed to let artists automate repetitive tasks. That same feature is what turned a creative asset into a delivery vehicle. AV-Comparatives reported the worm to Epic Games' security team before publication, a responsible-disclosure step security researchers and home users can model in their own work.

The numbers from the February-May 2026 test give the case its scale. AV-Comparatives, the independent cybersecurity testing organization that ran the test, evaluated 20 consumer security products against real-world internet threats under controlled conditions. Seven earned ADVANCED+, the lab's highest award tier, indicating consistent and reliable protection across the test window. The remaining 13 products landed in lower tiers (ADVANCED, STANDARD, or TESTED) within AV-Comparatives' own grading framework, with results that home users can compare directly on the lab's site.

The Fab.com discovery is the part of the story that should change behavior. Hobbyists and working 3D artists often download assets from marketplaces to save time, and the assumption has been that a major, recognizable platform is reasonably safe. The Maya worm shows that platform reputation does not equal file vetting. A file format with a built-in scripting layer is a known attack surface, and independent testing is now the only way for a home user to know which products would have caught it.

The caveats are real. The source for the test results is a press release distributed by AV-Comparatives itself, and the full report is hosted at av-comparatives.org, where the methodology and per-product scores are published in detail. The 20-product sample is industry-standard but not exhaustive, and AV-Comparatives' award tiers (ADVANCED+, ADVANCED, STANDARD, TESTED) are the lab's own framework rather than an external standard. Independent testing has its own methodology choices and is not a substitute for a user's own judgment. What the test does provide is a public, repeatable reference point at a moment when home users are encountering malware through the creative tools they already use.

For readers, the update to the threat model is simple: treat any downloaded asset as code first and content second. Open Maya files in a sandboxed or disposable environment when possible, keep security software current, and weigh independent test results over vendor marketing. AV-Comparatives has made the full February-May 2026 report freely available on its site, and the Fab.com disclosure is the most concrete reason in 2026 to read it.

A worm hid in 3D art files on a major creative marketplace, and most home security products missed it — type0 | type0

A worm hid in 3D art files on a major creative marketplace, and most home security products missed it

Sources